hasherezade hasherezade
hasherezade
/ Program.cs
Last active
July 27, 2021 06:48
A simple app to decode #PurpleFoxEK stegano payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Drawing; | |
| using System.IO; | |
| namespace PurpleFoxPNGDec | |
| { | |
| internal class Program | |
| { | |
| public static int getPrintableLen(byte[] array) | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <Windows.h> | |
| #include <psapi.h> | |
| #include <string> | |
| HANDLE create_new_process(IN const char* path, IN const char* cmd) | |
| { | |
| STARTUPINFOA si; | |
| memset(&si, 0, sizeof(STARTUPINFO)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CLASSES_ROOT\*\shell\PIN_run] | |
| @="Run with PIN" | |
| [HKEY_CLASSES_ROOT\*\shell\PIN_run\command] | |
| @="\"C:\\Pin_Tools\run_me.bat\" \"%1\"" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| test -d _hollows_hunter \ | |
| || git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
| cd _hollows_hunter | |
| cmake . \ | |
| -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
hasherezade
/ msil_dec.py
Last active
July 11, 2020 13:06
Helper script for decoding some .NET cryptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python2.7 | |
| import argparse | |
| def decode(data, key, offset, extra_rounds): | |
| maxlen = len(data) | |
| keylen = len(key) | |
| j = 0 #key index | |
| num2 = (maxlen - 1) * (extra_rounds + 1) | |
| decoded = bytearray() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import os | |
| def list_files(dir, ext): | |
| file_list = [] | |
| for root, dirs, files in os.walk(dir): | |
| for file in files: | |
| if file.endswith(ext): | |
| path = os.path.join(root, file) | |
| file_list.append(path) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python2.7 | |
| import sys | |
| import urllib2 | |
| method = 'POST' | |
| content_type = 'text/html' | |
| agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130921 Firefox/24.0' | |
| host = 'pastebin.com' |
hasherezade
/ QNumberEdit.cpp
Created
January 21, 2015 14:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "QNumberEdit.h" | |
| QString QNumberEdit::PREFIX = "0x"; | |
| QNumberEdit::QNumberEdit(QWidget *parent) | |
| : QLineEdit(parent) | |
| { | |
| QRegExp re("("+PREFIX+")?[0-9A-Fa-f]+"); | |
| validator = new QRegExpValidator(re, this); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #IDA script to print all referenced strings along with their references | |
| import idautils | |
| sc = idautils.Strings() | |
| for s in sc: | |
| curr_str = str(s) | |
| str_offset = s.ea | |
| for xref in idautils.XrefsTo(s.ea): | |
| func = idaapi.get_func(xref.frm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
| #include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
| using namespace paramkit; | |
| #define PARAM_CHECKSUM "checks" | |
| #define PARAM_CHECKSUM_FUNC "cfunc" |